import util.JDBCUtils;

import java.sql.*;

public class SQLInjection {
    public static void main(String[] args) throws SQLException {
        searchName("' 'or '1=1'");
    }

    //登录
    public static void searchName(String username) throws SQLException {
        //获得数据库对象connection
        Connection connection = JDBCUtils.getConnection();
        //关闭数据库自动提交,即开启事务
        connection.setAutoCommit(false);
        //获取sql执行对象preparedStatement(预编译sql,先写不执行,参数用?表示)
//        安全性更高
        PreparedStatement preparedStatement = connection.prepareStatement("select * from app_user where name=?");
        //手动传参
        preparedStatement.setString(1, username);
        //执行sql
        ResultSet resultSet = preparedStatement.executeQuery();
        while (resultSet.next()) {
            System.out.println("id:" + resultSet.getObject("id") + "phone:" + resultSet.getObject("phone"));
        }
        //业务完毕,提交事务
        connection.commit();
        //释放连接
        JDBCUtils.release(connection, preparedStatement, resultSet);

//        占位符
//        String sql = "insert into t_person values(null,?,?,?);";
//        PreparedStatement pstm = connection.prepareStatement(sql);
//         为?占位符赋值
//        pstm.setString(1,name);
//        pstm.setInt(2,age);
//        pstm.setString(3,sex);
// 4.执行SQL
//        pstm.executeUpdate();
    }
}
